Privacy Policy

Last updated: January 2025

1. Introduction

Rafael Ogel & Justin Rüdiger GbR ("Papership Media", "we", "us", or "our") operates the Papership Media client portal (the "Service") and is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (GDPR) and German data protection laws.

This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our Service, particularly in connection with Instagram integration features.

Controller Information:

  • Name: Rafael Ogel & Justin Rüdiger GbR
  • Address: Mülheimer Straße 6, 68219 Mannheim, Germany
  • Managing Partners: Justin Rüdiger and Rafael Ogel
  • VAT ID: DE368809075
  • Email: info@papership-media.com
  • Phone: +49 160 7064 377
2. Data Collection and Use

2.1 Types of Data We Collect

Account Data:

  • Email address
  • Name
  • Password (encrypted)
  • Organization membership information
  • Roles and permissions within organizations

Instagram Integration Data:

  • Instagram username
  • Profile picture URL
  • Instagram media content (posts, images, videos)
  • Post captions and timestamps
  • OAuth access tokens and refresh tokens
  • Instagram follower information (when accessed via API)
  • Instagram direct message data for automation purposes
  • Webhook events from Instagram (comments, messages, mentions)

Usage Data:

  • IP addresses
  • Browser type and version
  • Device information
  • Access times and dates
  • Pages visited and features used

2.2 Purpose of Data Processing

We use your personal data to:

  • Provide and maintain our Service, including Instagram integration features
  • Authenticate your identity and manage your account
  • Enable Instagram content management and automation features
  • Respond to your requests and provide customer support
  • Send you important notifications about the Service
  • Comply with legal obligations
  • Prevent fraud and ensure security
  • Improve and optimize our Service
3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Art. 6(1)(b) GDPR - Contract Performance:

We process your data as necessary to perform our contract with you, including providing Instagram integration services, account management, and customer support.

Art. 6(1)(a) GDPR - Consent:

You have given explicit consent to the processing of your personal data, including Instagram data, by accepting this Privacy Policy and our Terms of Service during account registration.

Art. 6(1)(f) GDPR - Legitimate Interest:

We have a legitimate interest in ensuring the security of our Service, preventing fraud, and improving our platform's functionality.

4. Data Sharing and Third Parties

4.1 Meta Platforms (Instagram)

To provide Instagram integration features, we exchange data with Meta Platforms, Inc. (US) through their Instagram Basic Display API and Instagram Graph API. This includes:

  • OAuth tokens for API access
  • Instagram account information
  • Media content and metadata
  • Webhook events

Meta's processing of your data is subject to their Privacy Policy. Transfer of data to Meta (US) is safeguarded by Standard Contractual Clauses (SCCs).

4.2 Supabase

We use Supabase (Supabase Inc., US) for database hosting and authentication. Supabase processes your data as our data processor under a Data Processing Agreement (DPA). We recommend configuring Supabase to use EU data regions for GDPR compliance.

4.3 Vercel

Our Service is hosted on Vercel (Vercel Inc., US), which processes your IP address and usage data as our data processor under a DPA. We recommend configuring Vercel to use EU data regions.

4.4 Papership Media Administrators

Our platform administrators have access to all account and Instagram integration data as necessary to provide customer support, troubleshoot issues, and ensure the security and proper functioning of our Service. This access is limited to authorized personnel and is conducted in accordance with strict confidentiality obligations.

4.5 Legal Requirements

We may disclose your personal data if required by law, regulation, legal process, or governmental request.

5. International Data Transfers

Some of your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

  • United States: Meta (Instagram), Supabase, and Vercel operate data centers in the US

Safeguards:

We ensure that all international data transfers are protected by appropriate safeguards in accordance with GDPR Article 46, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with all service providers
6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

Account Data:

  • Active accounts: For the duration of your use of the Service
  • Deleted accounts: Data is immediately deleted with a 30-day backup retention period

Instagram Data:

  • OAuth tokens: Until revoked by you or expired (with automatic refresh)
  • Media content: Cached for up to 10 minutes for performance optimization
  • Integration data: Deleted immediately upon disconnecting Instagram integration

Log Data:

Server logs and access logs are retained for 90 days for security and troubleshooting purposes.

After the retention period, we will securely delete or anonymize your personal data unless we are legally required to retain it.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR):

You can request a copy of the personal data we hold about you, including Instagram integration data.

Right to Rectification (Art. 16 GDPR):

You can request correction of inaccurate or incomplete personal data through your account settings.

Right to Erasure (Art. 17 GDPR):

You can request deletion of your personal data, including disconnecting and deleting Instagram integration data.

Right to Restrict Processing (Art. 18 GDPR):

You can request restriction of processing under certain circumstances.

Right to Data Portability (Art. 20 GDPR):

You can request transfer of your data in a structured, commonly used format.

Right to Object (Art. 21 GDPR):

You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent:

You can withdraw your consent at any time by disconnecting your Instagram integration in your account settings.

Right to Lodge a Complaint:

You have the right to lodge a complaint with the competent supervisory authority:

  • Der Landesbeauftragte für den Datenschutz Baden-Württemberg
  • Königstraße 10a, 70173 Stuttgart, Germany
  • Website: www.baden-wuerttemberg.datenschutz.de
8. Cookies and Tracking Technologies

Our Service uses the following types of cookies and similar technologies:

Essential Cookies:

  • Authentication cookies to maintain your login session
  • Security cookies to prevent fraud and ensure platform security
  • Functionality cookies to remember your preferences

Analytics:

We may use analytics tools to understand how you use our Service and improve functionality. These tools do not collect personally identifiable information.

You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of the Service.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (TLS/SSL)
  • Secure password hashing and storage
  • Regular security assessments and updates
  • Access controls and authentication requirements
  • Regular backups of critical data

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

Our Service is intended for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Posting the updated Privacy Policy on our website
  • Sending you an email notification (if you have an account)
  • Displaying a prominent notice within the Service

The "Last updated" date at the top of this page indicates when the Privacy Policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Rafael Ogel & Justin Rüdiger GbR

Mülheimer Straße 6

68219 Mannheim, Germany

Email: info@papership-media.com

Phone: +49 160 7064 377

For privacy-related inquiries or to exercise your GDPR rights, please email us at info@papership-media.com with the subject line "GDPR Request". We will respond to your request within one month.

← Back to HomeTerms of Service